Skip to Content

This blog is part of a series which is related to setting up Cloud Identity to authenticate Cloud Portal in different scenarios.

In the previous blog, we saw how to create roles and assign them manually to users within the Cloud Portal.In real world scenario, it is unlikely that we would be adding each user to these custom HCP roles. Assume, if there are 1000’s of users and managing this assignment within the Cloud Portal configuration section would become cumbersome. In this blog, I am going to show how we can map users to groups and manage this more efficiently.

Creation of Groups in HCP Cockpit

When dealing with large user volumes, it is recommended to have groups to manage the user access. Navigate to the “Authorization” menu of the HCP cockpit and create two groups – Employee & Manager. Assign the respective HCP roles as shown below.


Navigate to the Cloud Portal Configuration section and un-assign the users from the Employee and Manager role. Notice that the assigned groups for a particular role shows up on the right-hand side.


Creation of Groups in Cloud Identity

Login to SCI as an administrator click on “User Groups” tile


Add two groups – one for Employee and other for Manager.


Navigate back to the “User Management” tile and edit the Employee User to assign this user to the newly created SCI User Group.


Repeat the same for Manager User and assign this user to Manager Group created in SCI.

Configure application in Cloud Identity

Navigate to the “Applications” tiles and select the HCP account which has been setup as the service provider. Under SAML 2.0 section, click on “Assertion Attributes”.


Add a new attribute called “groups” as shown below and save your changes.


Navigate to the Trust settings in HCP Cockpit and click on the linked SCI tenant.


This should bring up a popup screen with Attributes and Groups tab. Select the “Groups” tab and click on “Add Assertion-Based Group”.

On the left-hand side, the employee group refers to the HCP employee group. This needs to be mapped with the SCI group called “Employee_SCI_Group”. Under Mapping Rule, we have added groups as this was set in the Assertion attributes previously.


Save your changes and try to launch the Portal site as a Manager. You should be presented with the Apps relevant for Manager role.


In the next blog, we shall see how to setup and use Two-Factor Authentication (2FA) in SCI to access the Cloud Portal.

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Juan Alejandro Knight

    Very good post. Just one comment. I have tested a similar scenario with a user assigned to two different groups. I have mapped the SCP groups to the SCI user groups using regular expression and it works fine.

    The is a curious detail. Although the SAML Assetion Attribute is called “groups” this is quite misleading. I have called the User API to display the values of the assertion attributes for the current user. Strangely, the field “groups” comes with only one group key although in SCI it has assigned two user groups. I expected this field to return the groups delimitted by a comma or something of that sort.


Leave a Reply